itman
-
Posts
12,836 -
Joined
-
Last visited
-
Days Won
337
Posts posted by itman
-
-
Go here: https://thebestvpn.com/chrome-extension-vpn-dns-leaks/ and click on "take test here link." Report back with test result.
-
18 minutes ago, Modey said:
then why do i keep getting this message on opening any website even eset website
I don't have an answer for you. It is possible your Internet traffic is being monitored, etc.. It has happened previously in Egypt: https://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_country .
-
10 minutes ago, Modey said:
but the messages that show up to me have an ip address 93.190.140.94
That IP address also resolves to customer.worldstream.nl per IPVoid and is 100% clean: http://www.ipvoid.com/ip-blacklist-check/ .
-
Interestingly, URLVoid scan of scrlink.cool shows the reverse DNS to customer.worldstream.nl in the Netherlands: https://www.urlvoid.com/scan/scrlink.cool/ . It is 100% clean.
-
Appears Chrome has an issue with Cloudflare and everything else from that matter.
Per Robtex:
QuoteANALYSIS
This section shows a quick analyis of the given host name or ip number.Scrlink.cool has two name servers and four IP numbers.
Cloudflare name servers
The name servers are elinore.ns.cloudflare.com and hugh.ns.cloudflare.com.
What's the story behind the names of CloudFlare's name servers?.
IP numbers
The IP numbers are 2606:4700:e0::ac40:6613, 2606:4700:e0::ac40:6713, 172.64.102.19 and 172.64.103.19. The IP numbers are in San Francisco, United States.
We investigated one host name that cnames to scrlink.cool.
Results found
Scrlink.com, clinksr.com, clrskin.com, crinkls.com, crlinks.com, crslink.com, csrlink.com, linkcsr.com, linkscr.com, linksrc.com, lrnicks.com and lskrinc.com.
-
2 hours ago, Haresh2015 said:
Solution: remove all firewall rules in ESET Advance Setup.
I would have first set the Eset firewall to its default setting of Automatic which allows all outbound connections and see if that resolved the Chrome issue. I would also delete all existing rules that apply to Chrome. -EDIT- Prior to deleting the Chrome rules, take a screen shot of all its existing rules. Those can then be reapplied one by one testing the impact of each rule to determine the rule/s preventing Chrome's start up or impacting its execution.
-
Eset doesn't have a detailed write up on this variant, Win64/Vools.F trojan, but does have one for an earlier variant: https://www.virusradar.com/en/Win64_Vools.B/description .
It appears this malware is designed to exploit the well publicized SMBv1 vulnerability disclosed here and patched in 2017: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
-
7 hours ago, killer said:
also my cmd is disabled, everytime i open it, it closes automatically
What version of Windows do you have installed?
How are you trying to open the command prompt window? Via Start menu option? If you are using Win 10, enter "command" less the quote marks in the desktop lower toolbar search window. Then click on Command Prompt in the displayed window.
-
What Eset product do you have installed; e.g. Internet Security?
-
3 minutes ago, Marcos said:
I assume that the file share web page is not malicious but it was a malicious iframe, ad or whatever that was blocked.
That sounds reasonable but I would recommend that a full Eset alert be displayed which would allow the user to terminate the web page connection.
-
When checking out a screen shot posting on a file share site in a security forum I frequent, hxxps://imx.to/i/1yj02x , Eset detected what appears to be redirect to a malicious porn site based on what other forum posters related:
Time;URL;Status;Application;User;IP address;SHA1
2/12/2019 4:27:17 PM;https://afeuvqrsswz.com;Blocked by internal IP blacklist;C:\Program Files\internet explorer\iexplore.exe;XXX-XX\XXXX-XXX;216.21.13.15;021415D73D02C6247001BAD6E5C9BC6E220F34FCEset displayed the above as a small desktop popup alert upon access to the web page. However, the file share web page was still displayed. At that point and knowing better, I should have exited the web site. Instead, I clicked on a "Continue" link displayed which resulted in a locked flashing browser screen with a loud alarm sounding, a voice stating I was infected with malware, and a phone number I needed to call to resolve the issue. Obviously, this was fake malware and I resolved it without issue. However, an average user might have been duped into responding to the fake malware.
My question is should Eset not have blocked the file share web page from displaying or terminated its connection thereafter at initial IP blacklist detection time?
-
2 hours ago, LB-ID said:
It has an Intel HD Graphics 520 video system
Always helps to post as much relevant information as possible.
Appears the 1803 update caused all kinds of issues with older Intel graphics chipsets. Below are a few references, You can Google search for others. Why the problem manifests for you using Eset still remains a mystery. Appears that disabling HVCI - memory integrity protection worked for some:
-
1 hour ago, Wynot said:
Turns out its Iheart.com
The site itself is clean per URLVoid: https://www.urlvoid.com/scan/iheart.com/ .
When I connect using iheart.com, I end up at quickio.iheart.com with an IP address of 34.195.19.104. Interestingly, that also resolves to Amazon per Robtex: https://www.robtex.com/ip-lookup/34.195.19.104 .
The common theme to these alerts appears to be the connection to Amazon servers in the U.S.. Also I use EIS and are receiving no alerts on any of these connections.
-EDIT- Forgot to mention to did observe routing connections through the Amazon backbone servers.
-
7 minutes ago, Marcos said:
Most likely the problem is that is supports http/2
According to this: https://tools.keycdn.com/http2-test , it does support HTTP/2.
I don't use Chrome. Perhaps their is a way via Chrome settings to connect to the site using HTTP/1.1 or 1.0 which according to a QUALS scan I did, the bank web site also supports?
-
For what it is worth, extended black screen at Win boot time is usually due to corrupted graphics driver files. The problem seems to be more pronounced on Win 10.
Don't see how Eset would have any impact on graphics driver loading/initializing.
-
As far as that IP address goes, it resolves to Amazon: https://www.robtex.com/dns-lookup/ec2-3-17-238-130.us-east-2.compute.amazonaws.com .
-EDIT- As far as domain https://secure-drm.imrworldwide.com goes, it is associated with:
QuoteThe IP number is 138.108.140.100. The IP number is in Schaumburg, United States. It is hosted by Route for Nielsen.
Secure-drm.imrworldwide.com has a chain of two CNAMEs ultimately pointing to secure-hongkong.imrworldwide.com. Secure-hongkong.imrworldwide.com has one IP number.
Per Robtex: https://www.robtex.com/dns-lookup/secure-drm.imrworldwide.com
Finally, IPVOID states 3.17.238.130 is not a valid IP address. Makes sense since it appears it is trying to directly access a backbone server. Appears something is screwed up DNS-wise.
-
This has come up before: https://forum.eset.com/topic/14840-jsadwarerevizerb-malware-eset-fails-to-remove/ . This helped one user although one complained it did not:
QuoteIn my case removing all chrome extensions resolved the issue completely.
-
My best guess is Eset is giving a 50% discount off of the full retail price of $79.99 for 3 - PCs for 1 year per my recent check at newegg.com. The $59.99 current price appears to be a temporary cut in price from the normal retail price of $79.99.
-
There are advanced persistent threats that can survive a HDD reformat and OS reinstall. What needs to be done is a disk wipe utility capable of performing military grade wiping/reformatting on drive be used. On a large hard drive this could take days or even a week or more to complete. A simpler solution is just to replaced the hard drive with a new one. Prior to doing so, I would experiment with a borrowed or unused hard drive from another device. When the OS is installed and AV software installed and no infection reoccurs, you have your confirmation the old hard drive is the source.
Also both your PCs are part of a larger local network, the malware could be resident on another device on the network.
-
This could or could not be related to the issue: http://woshub.com/could-not-reconnect-mapped-network-drives/ .
-
As far as how I believe Fortinet software is detecting the password protected archive:
QuoteThe network administrator remembers a great password-cracking tool available from Elcomsoft called Advanced Archive Password Recovery that can help him out so he proceeds to use it to crack the password.
https://www.dummies.com/programming/networking/how-password-protected-files-can-be-hacked/
-
One last thing.
Your router log is interspersed with ICMP flood entries. This is basically a "ping" attack. What is interesting is they all originate from IP address, 66.151.55.xxx. This address is associated with Internap Corporation who is a major Internet backbone infrastructure provider. Why they would be performing such activity against your device is very much a mystery. Also to be determined is if these are in any way related to the TCP SYN ACK activity.
Are you a gamer by any chance?
-
47 minutes ago, bbenz said:
How did you trace the IP's?
I use Robtex: https://www.robtex.com/
47 minutes ago, bbenz said:The internet cuts out every now and then and sometimes shuts off completely to where i need to reset the modem/router to get it back online.
Another possibility of what is occurring is NetGear is controlling the SYN/ACK activity from the LAN side of the router. Eset IDS sees this activity and is blocking it. This in turn eventually locks up the router. Again, you need to get info from Netgear on how the router responds to these TCP SYN flood attacks. It may end up that you will have to have Eset IDS allow this activity from the router, 192.168.1.1, only.
-EDIT- This posting is worth a read; scroll down to the end: https://community.netgear.com/t5/Cable-Modems-Routers/DoS-attack-SYN-Flood-Network-activity-stops/td-p/1504584 . Appears HP printer's might be the culprit.
-
There are a lot of 207.69.0.0/16 subnet addresses in the log you posted. That IP address range is allocated to Earthlink.net. Is Earthlink your ISP? I would contact their tech support about all these TCP SYN ACK transmissions you are receiving and that are being blocked as a DoS attack by your router. You can refer them to your log upload link above. Also one specific IP address I checked, 207.69.195.84, has an imap. prefix for its associated domain name. This makes me think there might be an issue perhaps with their e-mail servers.
Somewhat of a mystery is IP address, 23.34.140.54, which appears to be a legit Akamai address. Again, it appears the issue lies with the transmissions being forwarded by your ISP.
Also your log shows WAN side router DoS attacks being detected and supposed to be dropped by the router there. As far as I am aware of, Eset is unaware of this activity and is only monitoring LAN side router activity. It appears the router is "leaking" WAN side DoS activity to the LAN side and this is what Eset's IDS is detecting. You would have to discuss this with Netgear as to why this might be happening.
One possibility is that the router has been compromised with malware. Another is the DoS attacks have overwhelmed the router's blocking capability; not a pleasant possibility. Or for some unknown reason, this is by design in regards to TCP SYN Flood attack detection. For the time being, you can modify Eset IDS behavior in regards to this detection not to constantly alert you but still block it and log it if so desired. Refer to this: https://support.eset.com/kb2939/?locale=en_US&viewlocale=en_US on how to do so. If Netgear later informs you this is desired behavior, you can change the Eset IDS actions for this activity for block, notify, and log to "No."
scrlink.cool
in Malware Finding and Cleaning
Posted · Edited by itman
Since you are no longer using a VPN, go here: https://dnsleaktest.com/ and click on the Standard test. All the IP address shown should be associated with your ISP assuming you're using your ISP DNS servers. My ISP is AT&T and here are my results: